Restrict acces to port based on client IPs
Hi,
This is hopefully a fairly straightforward newbie OS networkign question!
I want to configure a Solaris server such that access to a specified port is restricted to a defined small list of of client IP addresses. Ideally looking for a solution that works both on Solaris 9 and 10, and would use only standard Solaris options available on both these versions. But if this isn't possible, am open to all suggestions!
Thanks very much,
Adrian
Check out ipfilter
Supported on both versions, fits your requirements. Ideally though, you'd have access restricted by a perimeter firewall device and the services located behind it but you may not be able to. That way your networking security configuration is centralised.
hth.
Similar Messages
-
ACE: Can I loadbalance based on client Source IP/and client tcp source port?
We recently migrated serving a client from being thick client at the desktop to being served via a citrix farm. Prior to the migration the clients came from about 5000 unique source IP's to their VIP, now they come from only 31 unique source IP's from the citrix servers in the farm. A citrix server can host 400 client sessions, since the default action of the ACE is to loadbalance based on source IP's, the ACE is sending up to 400 sessions from one citrix server to 1 real server in the farm. Is there anyway I can loadbalance based on client source IP and tcp source port so the ACE views the 400 sessions from one citrix server as unique sessions? The application does not require persistence.
Hello,
Yes, you can configure a "Sticky Layer 4 Payload" as descirbed on this Link:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/command/reference/sticky.html#wp1039276
Unfrotunately I do not have any working example. You must calculate the right values for the Offset and the Length to configure.
Regards Jean-Marc -
How to do .1x port based network access authentication through ACS
How to do .1x port based network access authentication through ACS.
Hi,
802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
Regards,
Kush -
Dear All,
We are having an infrastructure setup of around 500 client computers managed through group policy.
Recently the domain controllers have been migrated from Windows Server 2003 to Server 2008 R2.
Since this account requires extremely strict environment, we need to figure the solution for restricting the users from access anything locally.
It would be great if you can assist me with the following query.
How to restrict users logged on Windows 7 clients from accessing Windows Explorer and browsing other systems in the network through Group Policy with a domain controller running on Windows Server 2008 r2 ?
Can we disable Network Tab on the left hand pane ?
explorer.exe is blocked already, but users are able to enter the Windows Explorer by clicking on the name which is visible on the Start Menu.> * explorer.exe is blocked already, but users are able to enter the
> Windows Explorer by clicking on the name which is visible on the
> Start Menu.
You cannot block explorer.exe when you do not replace the shell - the
desktop you see effectively IS explorer.exe...
Your requirement sounds like you need a custom shell:
http://gpsearch.azurewebsites.net/#2812
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Specify the port in the client in a TCP connection
Hi,
I am programming an application using TCP sockets. I have programmed a server whith a SocketServer(port) and is waiting for client's requests (the server is a public host in the Internet). The client connect to the server by means of the method:
Socket s = new Socket(host, port);
That works correctly, but now I want to specify the port in the client. The client's PC in a machine on the Internet and it has a public IP. I tried to use the method:
Socket(String host, int port, InetAddress localAddr, int localPort)
where localAddr is the local IP of the client' PC (because I cannot know the public IP).
However, it doesn't work this method and the client cannot connect to the server. The problem is that I want to specify the port in the client in the socket TCP connection when I try to connect to the host.
How can I resolve this problem?
ThaksI want to specify the port in the clientWhy?
-
Port-Based Authentication on 877
Hi
I have applied following commands to enable Port-Based Authentication but when I run command sh mac address-table it shows static mac on this port ( xx 0000.xxxx.xxxx STATIC Gi1/0/3) .
authentication control-direction in
authentication event fail retry 1 action authorize vlan xx
authentication event no-response action authorize vlan xx
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
As I remove command authentication port-control auto then sh mac address-table command shows me DYNAMIC MAC.
Anyone can please let explain me why it is happing
Regards,Any input?
-
IEEE 802.1x port-based authetication
I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone.
I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.Hi Claudia,
do you mean that the EAP-TLS authentication fails only on some 2960 switches and it works on other 2960s?
What is the IOS version you're using there?
What is the RADIUS server in use?
What is the exact error message you see on the RADIUS side?
Usually, the reason for the EAP-TLS handshake failure is to be troubleshoot on the supplicant and AAA server, however, there may be something on the switch depending on the certificate size and MTU settings on the switch(es).
What is the server cert size and the MTU configured on the switches?
With the info you provided it's difficult to say what's the reason of this failure.
I would suggest to start looking into the above mentioned topics, else you would need to proceed with deeper debugging and sniffer traces, which may be better/easier to handle through a TAC case.
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it. -
Best practices for securing communication to internet based SCCM clients ?
What type of SSL certs does the community think should be used to secure traffic from internet based SCCM clients ? should 3rd party SSL certs be used ? When doing an inventory for example of the clients configuration in order to run reports
later how the data be protected during transit ?From a technical perspective, it doesn't matter where the certs come from as there is no difference whatsoever. A cert is a cert is a cert. The certs are *not* what provide the protection, they simply enable the use of SSL to protect the data in transit
and also provide an authentication mechanism.
From a logistics and cost perspective though, there is a huge difference. You may not be aware, but *every* client in IBCM requires its own unique client authentication certificate. This will get very expensive very quickly and is a recurring cost because
certs expire (most commercial cert vendors rarely offer certs valid for more than 3 years). Also, deploying certs from a 3rd party is not a trivial endeavor -- you more less run into chicken and egg issues here. With an internal Microsoft PKI, if designed
properly, there is zero recurring cost and deployment to internal systems is trivial. There is still certainly some cost and overhead involved, but it is dwarfed by that that comes with using with a third party CA for IBCM certs.
Jason | http://blog.configmgrftw.com | @jasonsandys -
Communicate via serial port/ethernet from client app
Hi
Is it possible to communicate between the client serial port and an Apex application?
(or from the application to an ethernet device).
I need to link an application to a weighing machine and send/receive information via an Apex application. The interface will either be a serial port on the client or the weighing scales could also be connected as a network device.
Any ideas?
Thanks
KathrynThere are active-x controls that you can use (http://www.activexperts.com/activcomport/howto/html/).. Otherwise you could try writing a small java applet to do this on the client end, don't know enough about your requirements to offer more.. Does the vendor of hardware have a solution?
(Issue with this would be, non-ie browsers MIGHT not want to run vbscript or active-x controls..)
Thank you,
Tony Miller
Webster, TX -
How to install a java based irc client into a hand...
I've tried to install a java-based irc-client, but all I get is a webpage thanking for downloading. Something is updated for a while, but no application nor any new files seem to have been stored into the handheld nor mem-card.
Is there a way to installa programs straight from the web other than Ovi-service. I dod not find any links nor feature to browse outside the OVI-store selection. Ovi however loaded with the installer in my phone, XpressMusic 5310.
B.Sc Information tech
Phones I have or used to have: ancient Ericsson, Nokia: 6510, 2610, 5310 XpressMusicHey you can create java client using Eclispe or WSAD or far that matter any other IDE. crate a project save the WSDLs in a package. Right click on WSDL goto webservice option. From there you can generate client.
cheers,
sapan
Is it still open ?
cheers,
sapan
Edited by: sapan on Feb 25, 2009 1:17 AM -
Hi,
My Mac connects to Internet through ADSL router, and to a PPTP-VPN host through this connection.
And I want to FORCE all my http/https connections(that use destination port 80, 443, and perhaps some more) to use the VPN, while keep anything else go through the ADSL router directly.
Is this possible?Did you find any solution?
I'm trying to find a way to do this too.. on linux port based routing can be done with iptables. Mac OS X uses ipfw but:
The fwd action does not change the contents of the packet at all.
In particular, the destination address remains unmodified, so
packets forwarded to another system will usually be rejected by
that system unless there is a matching rule on that system to
capture them.
Then there is natd? I'm not sure if this can be used..
And another one is /etc/pf.conf which has this openbsd guide but fails with "PF ERROR! No ALTQ support in kernel. ALTQ related functions disabled". -
Dear Gurus,
Im trying to configure port based mpls, however i find my 7206 doesnt support any encapsulation mpls, only l2tpv3. Is this IOS dependency?
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)
R2(config-if)#xconnect 3.3.3.3 100 encapsulation ?
l2tpv3 Use L2TPv3 encapsulation
tia.Hello Jepoy,
according to feature navigator it is supported on C7200 port mode C7200
but you need some specific feature sets
like
c7200-adventerprisek9-mz.124-24.T2.bin
I have a pair of C7200 with advanced security and xconnect is not supported on them
Hope to help
Giuseppe -
Joining spreadsheets based on Client Id Number
Hi
I have two spreadsheets .
Spreadsheet 1 has sales rep name , client id , name of client
Spreadsheet 2 has client id ( not in same sequence as spreadsheet 1 ) , client name , client address , tel numbers
I would like to combine spreadsheet 1 , i.e. rep name , client id , name of client together with address and contact details on spreadsheet 2 . Spreadsheet one is based on client id , and only contains active client id numbers , whereas spreadsheet
2 contains all existing client id numbers .
How do I do it ?Assuming Client ID is in column B of both SS1 and 2, and by spreadsheet you mean separate files, not separate tabs within one workbook.
Open both spreadsheets, then in SS1 type in a cell on row 2 of the first blank columns to the right of your data:
=VLOOKUP($B2,
then navigate to SS2, and select the entire columns of information with Client ID as the first column of the selection, and press F4 until you get all $ for both columns, (should look like this:
=vlookup(B2,'[File Name.xlsx]Sheet Name'!$B:$E
and then type
, COLUMN(B2), False)
and press Enter. Then copy that cell down and to the right to match your data set and extract as many columns of data as you have. -
Change WOL Port number for clients
Hi All
We want to implement in our environment WOL functionality , for WSUS deployment and scheduled OSD deployments
We cannot unfortunately implement the default UDP port 9
My question is how can we change that default port on the clients?
I know that we can change the port on the primary server -> Site configuration -> Sites -> Properties primary site server -> tab
Port and here we can change the port number of Wake on Lan
For the client I noticed that there is a client setting -> Power Management -> Wake on Lan port Number (UDP) but that number is grayed out and set to 9
Also when I create a custom Client Setting that port number is grayed out and set to 9
How can I change that port number for the client?
Thx in advance
Regards,
JohanThe port number in Client Settings/Power Management is grayed out because "Enable wake-up proxy" is disabled. When you enable it, it becomes available. Be aware that wake-up proxy and wake on lan is 2 different things. (Beware mac address flapping)
To change the Wake On Lan port go to, primary server -> Site configuration -> Sites -> Properties
primary site server -> tab Port.
Wake On LAN port number (UDP)
For System Center 2012 Configuration Manager SP1 and System Center 2012 R2 Configuration Manager only:
Keep the default value of 9, unless you have changed the Wake On LAN (UDP) port number in the site Properties, Ports tab.
Important
This number must match the number in the site Properties. If you change this number in one place, it does not automatically update in the other place.
Benoit Lecours | Blog: System Center Dudes -
Restricting access to link based on a user's accesslevel
I've gotten the DW login feature working for restricting
access to pages based on a user's successful login and associated
accesslevel. However, I have some links that open an Excel
spreadsheet and an Outlook calendar. Is there an easy way to
restrict access to a link so that an unauthorized user can't
navigate to the link? Here's my code for the link:
<td height="19" colspan="3"
valign="top"><em><strong><a
href="STI-Intranet/XLS/PROD_SCHED.xls" title="Current Production
Schedule (Read Only)">STI Production Schedule
</a></strong></em></td>
<td height="4%" valign="top"><strong><a href="
http://server_3/public/cal_engineering/"
title="FROM INTRANET"><font size="2" face="Verdana, Arial,
Helvetica,
sans-serif">INT</font></a></strong></td>What server side language are you using? Do the links need to
be restricted
to just one access level, or multiple levels? Should it be
blocked for only
one level or multiple?
Bryan Ashcraft (remove brain to reply)
Web Application Developer
Wright Medical Technologies, Inc.
=============================
Macromedia Certified Dreamweaver Developer
Adobe Community Expert (DW) ::
http://www.adobe.com/communities/experts/
"mslee1965" <[email protected]> wrote in
message
news:e52o7e$3ak$[email protected]..
> I've gotten the DW login feature working for restricting
access to pages
> based
> on a user's successful login and associated accesslevel.
However, I have
> some
> links that open an Excel spreadsheet and an Outlook
calendar. Is there an
> easy
> way to restrict access to a link so that an unauthorized
user can't
> navigate to
> the link? Here's my code for the link:
>
> <td height="19" colspan="3"
valign="top"><em><strong><a
> href="STI-Intranet/XLS/PROD_SCHED.xls" title="Current
Production Schedule
> (Read
> Only)">STI Production Schedule
</a></strong></em></td>
>
> <td height="4%" valign="top"><strong><a
href="<a target=_blank
> class=ftalternatingbarlinklarge
> href="
http://server_3/public/cal_engineering/"">http://server_3/public/cal_engin
> eering/"</a> title="FROM INTRANET"><font
size="2" face="Verdana, Arial,
> Helvetica,
sans-serif">INT</font></a></strong></td>
>
>
Maybe you are looking for
-
A1000l-f will not turn on after firmware update
i bought my tablet last night as a black friday sale item from office depot and it was working fine for about 2 hours. it then said i needed to update my firmware so i did. after a minute or two a screen popped up stating it needed to shutdown or so
-
Table name for purchase order delivery fields
Hi Gurus, Can you please tell me the name of the tables and the joining condition for purchase order delivery details like Name, street , city, postal code, address detail and the joining condition? Regards MD. SAMY
-
Linked Column to Item on Another Page
How does one link a report column to an item on another page? I can link to another page, but I can't get the value into an item on that page.
-
Migration Sybase 12.5 to Oracle 10G R2
Hi, I'm planing to migrate some Sybase ASE 12.5 databases to Oracle 10g Release 2. The source database reside on Windows 2000 and Target database ( oracle 10g) will be running on Linux. Any idea if Oracle Migration workbench will support such sceneri
-
"Invalid Java Home" when installing Oracle Weblogic 11g (10.3.1)
Hi folks, I'm trying to install Oracle's Weblogic 11g (10.3.1) (http://download.oracle.com/otn/nt/middleware/11g/wls/wls1031_generic.jar) The installer starts, but does not detect the JDK home (which I expected). It does however let you browse the fi